Formal verification of side-channel countermeasures using self-composition

Formal verification of cryptographic software implementations poses significant challenges for off-the-shelf tools. This is due to the domain-specific characteristics of the code, involving aggressive optimizations and non-functional security requirements, namely the critical aspect of countermeasures against side-channel attacks. In this paper, we extend previous results supporting the practicality of self-composition proofs of non-interference and generalizations thereof. We tackle the formal verification of high-level security policies adopted in the implementation of the recently proposed NaCl cryptographic library. We formalize these policies and propose a formal verification approach based on self-composition, extending the range of security policies that could previously be handled using this technique. We demonstrate our results by addressing compliance with the NaCl security policies in real-world cryptographic code, highlighting the potential for automation of our techniques.This work was partially supported by project SMART, funded by ENIAC joint Undertaking (GA 120224)

Formal verification of side channel countermeasures using self-composition

Formal verification of cryptographic software implementations poses significant challenges for off-the-shelf tools. This is due to the domain-specific characteristics of the code, involving aggressive optimisations and non-functional security requirements, namely the critical aspect of countermeasures against side-channel attacks. In this paper we extend previous results supporting the practicality of self-composition proofs of non-interference and generalisations thereof. We tackle the formal verification of high-level security policies adopted in the implementation of the recently proposed NaCl cryptographic library. We formalize these policies and propose a formal verification approach based on self-composition, extending the range of security policies that could previously be handled using this technique. We demonstrate our results by addressing compliance with the NaCl security policies in real-world cryptographic code, highlighting the potential for automation of our techniques.Fundação para a Ciência e a Tecnologia (FCT

ПРОГРАМНА BITSLICED-ІМПЛЕМЕНТАЦІЯ ШИФРУ «КАЛИНА» ОРІЄНТОВАНА НА ВИКОРИСТАННЯ SIMD-ІНСТРУКЦІЙ МІКРОПРОЦЕСОРІВ З АРХІТЕКТУРОЮ Х86-64

The article is devoted to software bitsliced implementation of the Kalyna cipher using vector instructions SSE, AVX, AVX-512 for x86-64 processors. The advantages and disadvantages of different approaches to efficient and secure block cipher software implementation are shown. It is noted that bitslicing technology combines high speed and resistance to time and cache attacks, but its application to the Kalyna cipher is not available at the moment. The basic approaches to data representation and bitsliced encryption operations are considered, special attention is paid to the effective implementation of SubBytes operation, which largely determines the final performance. Existing methods for minimizing logical functions have been shown to either fail to produce the result in bitsliced format in the case of 8-bit non-algebraic SBoxs, or far from optimal. A heuristic algorithm for minimizing logic functions describing Kalyna SBoxes using the operations of AND, OR, XOR, NOT available in the instruction set of low- and high-end processors is proposed. The results show that a bitsliced description of one SBox requires about 520 gates, which is significantly less than other methods. Possible ways to increase performance by regrouping data into bitsliced variables before and after the SubBytes operation are indicated, which results in more efficient use of vector registers. The bitsliced implementations of Kalyna cipher were measured using C++ compilers from Microsoft and GCC for the Intel Xeon Skylake-SP processor. The results of the bitsliced Kalyna implementation can also be transferred to processors that do not support SIMD instructions, including low-end, to increase resistance to attacks through third-party channels. They also enable switching to ASIC or FPGA-based bitsliced implementation of Kalyna.Статтю присвячено програмній bitsliced-імплементації шифру «Калина» з використанням векторних інструкцій SSE, AVX, AVX-512 для х86-64 процесорів. Проаналізовано переваги і недоліки різних підходів до ефективної та захищеної програмної реалізації блокових шифрів. Відзначено, що технологія bitslicing поєднує в собі високу швидкодію та стійкість до часових- і кеш-атак, проте наразі відсутні її застосування щодо шифру «Калина». Розглянуто основні підходи до представлення даних і виконання операцій шифру у bitsliced-форматі, особливу увагу приділено ефективній реалізації операції SubBytes, що значною мірою визначає кінцеву швидкодію. Показано, що існуючі методи мінімізації логічних функцій або не дають змогу отримати результат у bitsliced-форматі у випадку 8-бітних неалгебраїчних SBox-ів, або результати далекі від оптимальних. Запропоновано евристичний алгоритм мінімізації логічних функцій, що описують SBox-и «Калини» з використанням операцій AND, OR, XOR, NOT, наявних у системі команд low- та high-end процесорів. У роботі одержані результати, які засвідчили, що для bitsliced-опису одного SBox потрібно близько 520 вентилів, що є відчутно менше ніж забезпечують інші методи. Вказано можливі шляхи збільшення швидкодії завдяки перегрупуванню даних в bitsliced-змінних до і після операції SubBytes, що призводить до ефективнішого використання векторних регістрів. Проведено вимірювання швидкодії bitsliced-реалізацій шифру «Калина» з використанням С++ компіляторів Microsoft та GCC для процесора Intel Xeon Skylake-SP. Одержані у роботі результати bitsliced-реалізації «Калина» можуть бути перенесені і на процесори, які не підтримують SIMD-інструкції, у тому числі low-end, щоб підвищити стійкість до атак через сторонні канали. Також вони дають змогу перейти до апаратної bitsliced-реалізації «Калини» на базі ASIC чи FPGA

Improving the Performance of the SYND Stream Cipher

International audience. In 2007, Gaborit et al. proposed the stream cipher SYND as an improvement of the pseudo random number generator due to Fischer and Stern. This work shows how to improve considerably the e ciency the SYND cipher without using the so-called regular encoding and without compromising the security of the modi ed SYND stream cipher. Our proposal, called XSYND, uses a generic state transformation which is reducible to the Regular Syndrome Decoding problem (RSD), but has better computational characteristics than the regular encoding. A rst implementation shows that XSYND runs much faster than SYND for a comparative security level (being more than three times faster for a security level of 128 bits, and more than 6 times faster for 400-bit security), though it is still only half as fast as AES in counter mode. Parallel computation may yet improve the speed of our proposal, and we leave it as future research to improve the e ciency of our implementation

SoC It to EM:ElectroMagnetic Side-Channel Attacks on a Complex System-on-Chip

Increased complexity in modern embedded systems has presented various important challenges with regard to side-channel attacks. In particular, it is common to deploy SoC-based target devices with high clock frequencies in security-critical scenarios; understanding how such features align with techniques more often deployed against simpler devices is vital from both destructive (i.e., attack) and constructive (i.e., evaluation and/or countermeasure) perspectives. In this paper, we investigate electromagnetic-based leakage from three different means of executing cryptographic workloads (including the general purpose ARM core, an on-chip co-processor, and the NEON core) on the AM335x SoC. Our conclusion is that addressing challenges of the type above {\em is} feasible, and that key recovery attacks can be conducted with modest resources

Secure and Fast Implementations of Two Involution Ciphers

Anubis and Khazad are closely related involution block ciphers. Building on two recent AES software results, this work presents a number of constant-time software implementations of Anubis and Khazad for processors with a byte-vector shuffle instruction, such as those that support SSSE3. For Anubis, the first is serial in the sense that it employs only one cipher instance and is compatible with all standard block cipher modes. Efficiency is largely due to the S-box construction that is simple to realize using a byte shuffler. The equivalent for Khazad runs two parallel instances in counter mode. The second for each cipher is a parallel bit-slice implementation in counter mode

Constant-time discrete Gaussian sampling

© 2018 IEEE. Sampling from a discrete Gaussian distribution is an indispensable part of lattice-based cryptography. Several recent works have shown that the timing leakage from a non-constant-time implementation of the discrete Gaussian sampling algorithm could be exploited to recover the secret. In this paper, we propose a constant-time implementation of the Knuth-Yao random walk algorithm for performing constant-time discrete Gaussian sampling. Since the random walk is dictated by a set of input random bits, we can express the generated sample as a function of the input random bits. Hence, our constant-time implementation expresses the unique mapping of the input random-bits to the output sample-bits as a Boolean expression of the random-bits. We use bit-slicing to generate multiple samples in batches and thus increase the throughput of our constant-time sampling manifold. Our experiments on an Intel i7-Broadwell processor show that our method can be as much as 2.4 times faster than the constant-time implementation of cumulative distribution table based sampling and consumes exponentially less memory than the Knuth-Yao algorithm with shuffling for a similar level of security

Моделювання режиму вибіркового гамування із прискореним виробленням імітовставки

This article discusses the selective Galois counter mode with rapid generation of Galois message authentication code (Galois/Counter Mode and GMAC - GCM & GMAC). Specification of this coding mode is presented in NIST SP 800-38D. This coding mode is designed for realization of rapid cryptotransformation in providing information security services using different cryptographic primitives, such as polynomial hashing, counter and other. Using of proposed coding mode ensures the integrity and confidentiality of information. The article developed a reduced model of the mode. Reduced model preserves the algebraic structure of all main cryptotransformations by their scaling. Developed reduced model will use for experimental studies of collision properties of generated message authentication codes using the methods of statistical testing of hypotheses and mathematical statistics. This article discusses practical examples of cryptoprimitives and cryptotransformations.Рассматривается режим выборочного гаммирования с ускоренной выработкой имитовставки (Galois/Counter Mode and GMAC), спецификация которого представлена в NIST SP 800-38D. Разрабатывается уменьшенная модель режима, которая сохраняет алгебраическую структуру всех основных криптопреобразований и позволяет за счёт их масштабирования провести экспериментальные исследования коллизионных свойств сформированных имитовставок с последующим прогнозированием уровня криптографической стойкости полной версии шифра.Розглядається режим вибіркового гамування із прискореним виробленням імітовставки (Galois/Counter Mode and GMAC), специфікацію якого наведено у стандарті NIST SP 800-38D. Розробляється зменшена модель режиму, яка зберігає алгебраїчну структуру всіх основних криптоперетворень та дозволяє за рахунок їхнього масштабування провести експериментальні дослідження колізійних властивостей формованих імітовставок з подальшим прогнозуванням рівня криптографічного стійкості повної версії шифру

Apple vs. EMA: Electromagnetic Side Channel Attacks on Apple CoreCrypto

Cryptographic instruction set extensions are commonly used for ciphers which would otherwise face unacceptable side channel risks. A prominent example of such an extension is the ARMv8 Cryptographic Extension, or ARM CE for short, which defines dedicated instructions to securely accelerate AES. However, while these extensions may be resistant to traditional digital side channel attacks, they may still vulnerable to physical side channel attacks. In this work, we demonstrate the first such attack on a standard ARM CE AES implementation. We specifically focus on the implementation used by Apple’s CoreCrypto library which we run on the Apple A10 Fusion SoC. To that end, we implement an optimized side channel acquisition infrastructure involving both custom iPhone software and accelerated analysis code. We find that an adversary which can observe 5-30 million known-ciphertext traces can reliably extract secret AES keys using electromagnetic (EM) radiation as a side channel. This corresponds to an encryption operation on less than half of a gigabyte of data, which could be acquired in less than 2 seconds on the iPhone 7 we examined. Our attack thus highlights the need for side channel defenses for real devices and production, industry-standard encryption software